You must obtain the root certificate from the CA that signed the certificates on the smart cards presented by your users and administrators.
About this task
If you do not have the root certificate of the CA that signed the certificates on the smart cards presented by your users and administrators, you can export a root certificate from a CA-signed user certificate or a smart card that contains one. See Obtain the Root Certificate from Windows.
A Microsoft IIS server running Microsoft Certificate Services. See the Microsoft TechNet Web site for information on installing Microsoft IIS, issuing certificates, and distributing certificates in your organization.
The public root certificate of a trusted CA. This is the most common source of a root certificate in environments that already have a smart card infrastructure and a standardized approach to smart card distribution and authentication.
What to do next
Add the root certificate to a server truststore file. See Add the Root Certificate to a Server Truststore File.